S3: Enforce bucket policy (#7471)

* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
2025-11-12 22:14:50 -08:00
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
--- a/weed/s3api/auth_credentials_test.go
+++ b/weed/s3api/auth_credentials_test.go
@@ -194,7 +194,7 @@ func TestLoadS3ApiConfiguration(t *testing.T) {
 			expectIdent: &Identity{
 				Name:         "notSpecifyAccountId",
 				Account:      &AccountAdmin,
-				PrincipalArn: "arn:seaweed:iam::user/notSpecifyAccountId",
+				PrincipalArn: "arn:aws:iam::user/notSpecifyAccountId",
 				Actions: []Action{
 					"Read",
 					"Write",
@@ -220,7 +220,7 @@ func TestLoadS3ApiConfiguration(t *testing.T) {
 			expectIdent: &Identity{
 				Name:         "specifiedAccountID",
 				Account:      &specifiedAccount,
-				PrincipalArn: "arn:seaweed:iam::user/specifiedAccountID",
+				PrincipalArn: "arn:aws:iam::user/specifiedAccountID",
 				Actions: []Action{
 					"Read",
 					"Write",
@@ -238,7 +238,7 @@ func TestLoadS3ApiConfiguration(t *testing.T) {
 			expectIdent: &Identity{
 				Name:         "anonymous",
 				Account:      &AccountAnonymous,
-				PrincipalArn: "arn:seaweed:iam::user/anonymous",
+				PrincipalArn: "arn:aws:iam::user/anonymous",
 				Actions: []Action{
 					"Read",
 					"Write",